5

The Problem:

I need a way to install specific, pinned versions of some packages on my Debian system. snapshot.debian.org appears to offer a means to do this, however even after adding a snapshot to my apt-sources I am unable to apt-get install some specific versions of the packages within that snapshot archive.

The Question:

What is the official or "correct" way of installing a specific package version from a Debian snapshot archive?

Background & What I've Tried:

Let's use Debian8 Jessie and the 3.16.x kernel binary one minor version behind the current one as our examples. As of this writing, Jessie's released kernel is 3.16.43-2+deb8u5. Say I want to install 3.16.43-2+deb8u4.

I begin by searching the debian snapshot archives for the version I want (http://snapshot.debian.org/binary/linux-image-3.16.0-4-amd64/) and click on the exact version of the kernel that I'm looking for, which gets me to http://snapshot.debian.org/package/linux/3.16.43-2%2Bdeb8u4/#linux-image-3.16.0-4-amd64_3.16.43-2:2b:deb8u4

From there, I can see that the package was "Seen in debian-security on 2017-09-20 22:12:21" and "Seen in debian on 2017-10-08 16:31:52". I decide to use the former and settle on debian-security snapshot 20170920T221221Z.

Following the instructions on the front page of snapshot.debian.org, I add the following to my /etc/apt/sources.list:

deb http://snapshot.debian.org/archive/debian-security/20170920T221221Z/ jessie/updates main
deb src http://snapshot.debian.org/archive/debian-security/20170920T221221Z/ jessie/updates main

I then run apt-get -o Acquire::Check-Valid-Until=false update and see that the update (appears to) successfully complete.

I'd think this would allow me to now install the desired version of the kernel but apt only knows about two installation candidates, 3.16.43-2+deb8u2 and 3.16.43-2+deb8u5. No sign of +deb8u4:

# apt-cache madison linux-image-3.16.0-4-amd64
linux-image-3.16.0-4-amd64 | 3.16.43-2+deb8u5 | http://security.debian.org/ jessie/updates/main amd64 Packages
linux-image-3.16.0-4-amd64 | 3.16.43-2+deb8u5 | http://snapshot.debian.org/archive/debian-security/20170920T221221Z/ jessie/updates/main amd64 Packages
linux-image-3.16.0-4-amd64 | 3.16.43-2+deb8u2 | http://cloudfront.debian.net/debian/ jessie/main amd64 Packages
linux-image-3.16.0-4-amd64 | 3.16.7-ckt25-2 | http://cloudfront.debian.net/debian/ jessie-updates/main amd64 Packages
     linux |  3.16.39-1 | http://cloudfront.debian.net/debian/ jessie-backports/main Sources

# apt-cache policy linux-image-3.16.0-4-amd64
linux-image-3.16.0-4-amd64:
  Installed: 3.16.43-2+deb8u5
  Candidate: 3.16.43-2+deb8u5
  Version table:
     3.16.43-2+deb8u5 0
        500 http://security.debian.org/ jessie/updates/main amd64 Packages
        500 http://snapshot.debian.org/archive/debian-security/20170920T221221Z/ jessie/updates/main amd64 Packages
 *** 3.16.43-2+deb8u2 0
        500 http://cloudfront.debian.net/debian/ jessie/main amd64 Packages
        100 /var/lib/dpkg/status
     3.16.7-ckt25-2 0
        500 http://cloudfront.debian.net/debian/ jessie-updates/main amd64 Packages

Additionally, if I attempt to specify and install the version I want, it returns "Not Found":

# apt-get install linux-image-3.16.0-4-amd64=3.16.43-2+deb8u4
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Version '3.16.43-2+deb8u4' for 'linux-image-3.16.0-4-amd64' was not found

I've managed to work around this by downloading the .deb binary and dpkg -i installing it but I'd prefer to use apt instead of curl'ing .debs down and installing them. Can anyone explain either what I need to do to be able to apt-get install a specific package or at least explain why this doesn't work the way that I expect it to?

devnall
  • 153
  • 3
  • When I look at the 9/20 (http://snapshot.debian.org/archive/debian-security/20170920T100602Z/pool/updates/main/l/linux/) I don't see that package. But that kernel package is there if I look at 9/21 (http://snapshot.debian.org/archive/debian-security/20170921T211512Z/pool/updates/main/l/linux/). It makes me think something about that site has some slight time calculation problems. Anyway, just try using a later date perhaps? – Zoredache Nov 06 '17 at 21:44
  • @Zoredache It looks like the snapshot you're looking at was from 10am that morning (10:06:02) but the snapshot I'm using is from 10pm (22:12:21). I think somewhere in my testing I had the same thought though and tried using the 20170921/ snapshot (which should be the first snapshot from the next day) and was still unable to install +deb8u4. – devnall Nov 06 '17 at 21:51
  • That is odd. I swear I copy and pasted the base component of the first link I used directly from the `deb http://snapshot ...` in your question. – Zoredache Nov 06 '17 at 23:16

1 Answers1

3

This is not exact science, but here's a probable explanation of why it didn't work for this specific case (it usually works, when you're not following a target changing too fast).

A given repository usually references only one version of a package in the Packages file, for your example, this one. That's not a technical obligation, for example deb https://dl.winehq.org/wine-builds/debian/ jessie main includes multiple versions of the same package in its Packages file, all retrievable by apt-get, using = like you did, but Debian (TM) doesn't keep references to multiple versions in the same Packages file.

If you look at the actual directory where the package you're looking for exists, you can see that there are both versions available:

linux-image-3.16.0-4-amd64_3.16.43-2+deb8u4_amd64.deb
linux-image-3.16.0-4-amd64_3.16.43-2+deb8u5_amd64.deb

When deb8u5 appeared, the previous reference to deb8u4 disappeared. The deb8u4 .deb might still have be referenced by an other repository or simply not have undergone some "garbage collection". Clicking on "prev change" in the snapshot navigation leads only to deb8u3 without deb8u4 nor deb8u5. That means the change between deb8u4 and deb8u5 happened too fast for the deb8u4's Packages file to be available for download or for snapshot.debian.org to save this intermediate Packages file before the deb8u5's replaced it. This reference (and the corresponding checksums, and the signed Release file) in debian-security is lost.

Just trying again with debian (instead of debian-security):

linux-image-3.16.0-4-amd64_3.16.43-2+deb8u4_amd64.deb

with a corresponding Packages.xz file. This one has the entry for deb8u2 only... and will keep only this one. The newer versions are supposed to come from debian-security until 8.10 is released, so even if they appear in the pool, that's just because snapshot.debian.org makes all appear at the same place.

Well sorry, for this specific package version, I don't see a way to download the deb8u4. Even if it can be downloaded from the links and dpkg -i can install it, that's not possible to validate what was downloaded, so it should be avoided.

NOTE: your method is correct. You can usually complete it by pinning your specific snapshot for some specific packages, allowing apt-get to choose them automatically (without the need of = ) and avoiding them to be upgraded later. That's explained there: https://wiki.debian.org/AptPreferences . Holding them works too (dpkg --set-selections or apt-mark hold) to avoid upgrade.

A.B
  • 11,090
  • 2
  • 24
  • 45
  • 1
    Very helpful response, thanks! My takeaway is that the methodology I was using is fine and should work the majority of the time, I just happened to pick one of the worst possible packages to test this with -- specifically, a package that was almost immediately replaced by a newer version. And that the way I can check for that in the future is to examine the Packages file for the given snapshot. Thanks again! – devnall Nov 06 '17 at 22:44